Problem With Search.finwhatever.com And Hijackthis

[Pekoe]

I am having a problem with search.findwhatevernow.com and cannot get HiJackThis to run without generated errors!

I have used and run Norton Anti-Virus 2005, AVG (most recent), Spybot, Ad-Aware (12/04), SpySubtract. All have fixed what they found. My OS is Windows 2000 Professional and I am using Mozilla Firefox and Thunderbird, but IE is on my computer because I can't delete it without causing havoc.

Symptoms:

Multiple attempts to log into Windows

Computer extremely slow starting up to the point where I can actually click an icon and begin using the computer; seems to have something running in background

Both browsers can't find yahoo, google, trouble finding others and when it does, images are missing and text font size too large on some parts and too small on others. Other sites work fine.

I downloaded HikackThis, saved it to my My Documents Folder. When ran HiJack This it began scanning and then I got a message saying HiJack This had generated erros and would have to be restarted. I deleted that file, downloaded it again and the same thing happened. I completely shut off the computer, turned it on and tried again - same message

What's up with that? I did some research and found that this virus or whatever it is changes DNS entries.

Thanks,

[Dan]

Hello Pekoe,

Try this Go start>control panel>network connecctions>right click Local area connection and choose properties.

In the local area connections properties window you should see Internet Protocol (TCP/IP) click on that once then click the properties button.

In the bottom section of this window there is a "Obtain DNS server address automatically" with a checkbox and a "Use the following DNS server addresses" checkbox.

Copy the numbers, then Clear the numbers in the "Preferred DNS server" line and the "Alternate DNS server" line and then check the box to Obtain DNS server address automatically.

Click ok then ok again. Next reboot your computer and give it a try. If for some reason you cant get back here after following the above instructions just reenter the numbers.

Also who is your internet service provider?

Next, please download HijackThis 1.98.2 from http://dknoppix.com/Downloads/hijackthis1982.zip , and unzip it to a permanent folder. To do this:

Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

Open HijackThis, press the "Scan" button with HJT and press the "Save Log" button. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

dk

Edited January 7, 2005 by dknoppix

[Pekoe]

I have two Local Area Connections, one with Obtain number automatically checked and one with Use the following numbers (it has numbers).

What should I do?

Thanks,

Barry

[Dan]

I have two Local Area Connections, one with Obtain number automatically checked and one with Use the following numbers (it has numbers).

What should I do?

When following my instructions, please change the ones with the numbers.

dk

[Pekoe]

BTW, my Internet Service provider is Green Mountain Access (gmavt.net) Successfully got the log! Here it is:

Logfile of HijackThis v1.98.2

Scan saved at 10:21:20 PM, on 1/6/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Real\RealJukebox\tsystray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\System32\qttask.exe

C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe

C:\WINNT\system32\itunes.exe

C:\WINNT\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\WINNT\system32\rundll32.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\itunes.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\interMute\SpySubtract\SpySub.exe

C:\Program Files\KeirNet\K9\K9.exe

C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\ZipGenius\zipgenius.exe

C:\ZGtemp\906543\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [screenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mm_server] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe

O4 - HKLM\..\Run: [Configuration Loade32r] itunes.exe

O4 - HKLM\..\Run: [Win32 USB2] wins32.exe

O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run

O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\RunServices: [Configuration Loade32r] itunes.exe

O4 - HKLM\..\RunServices: [Win32 USB2] wins32.exe

O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Win32 USB2] wins32.exe

O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe

O4 - HKCU\..\Run: [Configuration Loade32r] itunes.exe

O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/v...an/mgavinst.cab

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/mcinstall.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab

O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab

[Dan]

Hello Pekoe,

I am reviewing your log at the moment and will have an answer by tomorrow.

Have a great night,

dk

[Dan]

Hello Pekoe,

I will be assisting you with you HijackThis log.

Press Ctrl-Alt-Del. and end the following processes:

itunes.exe

itunes.exe

(Yes, there are two.)

Next, open HijackThis, click the "Scan" button and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Configuration Loade32r] itunes.exe

O4 - HKLM\..\Run: [Win32 USB2] wins32.exe

O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run

O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\RunServices: [Configuration Loade32r] itunes.exe

O4 - HKLM\..\RunServices: [Win32 USB2] wins32.exe

O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

The following are optional to delete, but will increase your startup time:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe

(These both will have to be turned off within the program)

O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe

(This one will also be needed to be turned off inside the program)

These are ActiveX controls. These only work for IE, and I recommend deleting them:

O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/v...an/mgavinst.cab

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/shared/mcinstall.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab

O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab

After you have checked the above items, close ALL windows except HijackThis, and click "Fix Checked".

Next, you need to reboot into safe mode. To do this:

*Turn the computer on

*When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.

*The Windows 2000 Advanced Options Menu will appear.

*Choose the Safe mode option. (it is usually the first item in the list).

*Use the arrow keys to select it if it is not selected by default.

*Press Enter. The computer will start in Safe mode.

When safe mode boots up, locate to the following directory/file in Windows, and delete it:

C:\WINNT\system32\itunes.exe <---------File

C:\Program Files\WebSpecials\webspec.dll <------Folder

Next, go to the "Start" menu, then find. Search for the following files, and delete them:

smsc.exe

wins32.exe

system.exe

Reboot into normal mode, run HijackThis and post a new log to see if there is any malware left on your computer.

dk